Call for Free Security Logs After Microsoft eMail Key Debacle
Last week, Microsoft disclosed that hackers with ties to China’s government used forged authentication tokens to break into email accounts at US government agencies and other organizations. It is not yet clear how the attacker obtained the encryption key necessary to create the tokens. The attack can be detected only by Microsoft customers with certain, more-expensive licenses. The situation has not escaped the notice of government officials: in a press call, a CISA senior said that “Every organization using a technology service like Microsoft 365 should have access to logging and other security data out of the box.”
A little over twenty years ago Bill Gates kicked off the now infamous Trustworthy Computing Initiative in Microsoft in response to security concerns over Windows. It’s now time for a similar Trustworthy Cloud Computing Initiative to be started in Microsoft, and other cloud service providers, to ensure security is built into the cloud services being provided and not provided as an optional extra with additional costs.
The cost savings from moving to the cloud have to come from somewhere. If you want full insight into who accesses your data, how, and when: stay on premises. If you move to the cloud, you better hope that cloud providers can keep their access keys secure as once they lose them, even the most expensive logging option is unlikely to keep you secure.
While there is call for tiered services for cloud offerings, log information should not be tiered: it should be available at all license levels, ideally with options to send it straight to your SIEM/SOAR platform. That said, if you're a Microsoft 365 customer, talk to your technical account representative about what level of visibility can be gained by having E5/G5 licenses for your security and tenant administration teams, vs. upgrading all users to those levels.
Microsoft should do this and make logging available to all users. It just makes security sense. Even if they don’t store any logs or make you pay for extra storage, the logs should be available and exportable to everyone. This level of goodwill will go a long way. Is this the generational Windows XP SP2 story, and will we talk about this in 10 years?
Back in 2021 Microsoft was in the news for the extra costs associated with Advanced Audit and the costs to store those audit logs. They offered a 1-year free trail to Gov Cloud users and… things quieted down. Fast forward two years and we’re talking about access to advanced logging, again. Here’s the rub: a security practitioner wants everything logged for when a security incident occurs; I can’t argue with that position. Yet, that logging comes at a cost to the company in both storage and the skills necessary to review. What really should be discussed is how the evil-doer got access to an inactive signing key. That seems to be the more serious security lapse on Microsoft’s part.